Lucene search

IbmVULNRICHMENT:CVE-2023-35899

HistoryMar 05, 2024 - 6:55 p.m.

CVE-2023-35899 IBM Cloud Pak for Automation CSV injection

2024-03-0518:55:44

CWE-1236

ibm

github.com

ibm cloud pak automation

csv injection

remote attack

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*",
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:-:*:*:*:*:*:*"
    ],
    "vendor": "ibm",
    "product": "cloud_pak_for_business_automation",
    "versions": [
      {
        "status": "affected",
        "version": "18.0.0",
        "versionType": "custom",
        "lessThanOrEqual": "18.0.2"
      },
      {
        "status": "affected",
        "version": "19.0.1",
        "versionType": "custom",
        "lessThanOrEqual": "19.0.3"
      },
      {
        "status": "affected",
        "version": "20.0.1",
        "versionType": "custom",
        "lessThanOrEqual": "20.0.3"
      },
      {
        "status": "affected",
        "version": "21.0.1",
        "versionType": "custom",
        "lessThanOrEqual": "21.0.1_if008"
      },
      {
        "status": "affected",
        "version": "22.0.2",
        "versionType": "custom",
        "lessThanOrEqual": "22.0.2_if005"
      },
      {
        "status": "affected",
        "version": "23.0.1",
        "versionType": "custom",
        "lessThanOrEqual": "23.0.1_if001"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*"
    ],
    "vendor": "ibm",
    "product": "cloud_pak_for_business_automation",
    "versions": [
      {
        "status": "affected",
        "version": "21.0.3",
        "versionType": "custom",
        "lessThanOrEqual": "21.0.3_if023"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/259354

www.ibm.com/support/pages/node/7030357

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-35899